Gary,
Is it silly to suggest that we just rename "STIXPackage" to "IntrusionSet"? I totally understand your points below, and also that not all STIXPackages might be IntrusionSets, but given that we are basically assuming that any TLO can be linked to another TLO (although in practice we'd recommend which should be linked to which), it seems like having a dedicated IntrusionSet object would be duplicative of a STIXPackage.
Perhaps we could also add a variant of STIXPackage that declares it to be an IntrusionSet?
Alex
-----Original Message-----
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Katz, Gary CTR DC3/DCCI
Sent: Monday, May 16, 2016 3:20 PM
To: 'Jason Keirstead'
Cc: 'Jordan, Bret'; Terry MacDonald; Paul Patrick; cti-stix@lists.oasis-open.org
Subject: [cti-stix] RE: [Non-DoD Source] RE: [cti-stix] Results of the Campaign Mini-Group
Jason,
I'll work with Paul and a couple of others on providing a good set of definitions, but if you review the second paragraph of my last email you can see a clear example of where an intrusion set is not just a collection of campaigns. I would personally associated a campaign to an intrusion set through the "attributed-to" relationship. Intrusion Sets are much closer to a Threat Actor in the sense that an Intrusion Set is usually associated with a single organization. You may not know the organization behind an Intrusion Set when you begin tracking it, but it is the responsibility of the intel analyst to determine who is behind the Intrusion Set. You may also have the Threat Actor(s) behind an Intrusion Set at a higher classification level than the Intrusion Set name. This means that analysts may be able to share the information related to an Intrusion Set, but if they were to call out the Threat Actor behind the Intrusion Set they would be unable to share the connection. There are also organizations that may track Intrusion Sets but do not have a need to know (or care) directly who the Threat Actor is.
-Gary
-----Original Message-----
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Monday, May 16, 2016 3:08 PM
To: Katz, Gary CTR DC3/DCCI
Cc: 'Jordan, Bret'; Terry MacDonald; Paul Patrick; cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] RE: [cti-stix] Results of the Campaign Mini-Group
Gary (or anyone else) - this might sound like a silly question, but where can I find the actual definition of an "intrusion set" as you are describing below?
I tried Googling it and came up mostly empty handed - a lot of blogs and articles referencing the term, without any actual definition (as opposed to Campaign which is defined everywhere). The only thing I found was this:
An intrusion set is defined as groups of computer security incidents that share similar actors or methods.
Does this match your definition? If so - is it more of that a campaign has a "uses a" relationship to intrusion set?
To have a coherent discussion we need a definition of what we're discussing - and I will be upfront that I have no idea what an intrusion set is (except the above), so I expect others don't as well.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Inactive hide details for "Katz, Gary CTR DC3---05/16/2016 02:55:56 PM---Bret, Intrusion Sets are core piece of functionalit"Katz, Gary CTR DC3---05/16/2016 02:55:56 PM---Bret, Intrusion Sets are core piece of functionality used across the USG intelligence community,
From: "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil>
To: "'Jordan, Bret'" <bret.jordan@bluecoat.com>, Terry MacDonald <terry.macdonald@cosive.com>
Cc: Paul Patrick <ppatrick@isightpartners.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 05/16/2016 02:55 PM
Subject: RE: [cti-stix] Results of the Campaign Mini-Group Sent by: <cti-stix@lists.oasis-open.org>
________________________________
Bret,
Intrusion Sets are core piece of functionality used across the USG intelligence community, FVEY, the Defense Industrial Base (which is a larger sharing or as large community as FS-ISAC) and advanced cyber analytic commercial entities such as Mandiant (see the APT1 report). In truth, for many of us, Intrusion Sets are of greater importance than Campaigns.
There is also an issue with just stating that an intrusion set is just a set of campaigns grouped together. In some cases you may not be able to relate an incident back to a campaign but you can relate it back to an intrusion set. You may acquire data from a source which is not associated with an incident. For example you recognize that a known domain associated with APT6 used to point to a specific IP address but is now pointing to another IP address which is being used to park a number of domains so now you want to capture that new IP address and all of the domains also pointing to it as being associated with that Intrusion Set. There's no campaign associated with that data, it's just new infrastructure that has been seen.
I understand the concern that some feel we are creating a lot of TLOs but please remember that it is our job to be able to provide the constructs so that cyber intelligence analysts can perform their job, not to determine what constructs that are heavily used should be allowed to be used in the future or not allowed to be used.
Hope this helps,
-Gary
-----Original Message-----
From: Jordan, Bret [mailto:bret.jordan@bluecoat.com]
Sent: Saturday, May 14, 2016 9:49 PM
To: Terry MacDonald
Cc: Paul Patrick; Katz, Gary CTR DC3/DCCI; cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [cti-stix] Results of the Campaign Mini-Group
That is a really good option Terry... Another option is to just have a flag on a Campaign to say, is this an Intrusion Set...
One question I would like to ask, is who needs Intrusion Set functionality in the near term...?
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On May 14, 2016, at 17:05, Terry MacDonald <terry.macdonald@cosive.com> wrote:
It strikes me that we are generating a lot of 'summary' objects at the moment, rather than using the relationships to hook things up together. I would see an intrusion set as being a set of campaign objects related together using a relationship type such as 'similar-to' or something like that. This ensures that all the campaigns are related together, yet avoids the need for a TLO.
Cheers
Terry MacDonald
On 13/05/2016 07:21, "Paul Patrick" <ppatrick@isightpartners.com> wrote:
Gary,
Thanks for the clarification.
Based on your clarifications and definitions, I can definitely support the proposal for Intrusion Sets
Paul Patrick
On 5/12/16, 9:14 AM, "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil> wrote:
>Paul,
> I believe my comment was slightly mistaken, which is causing some confusion. It is not that Campaigns and Intrusion Sets are nearly identical. It is that the properties assigned to the STIX Campaign object and the properties assigned to the Intrusion Set object are nearly identical. The purposes of capturing Campaigns and Intrusion Sets and their definitions are very different.
>
>Gary's attempt at definitions:
>Campaign: A set of incidents, usually occurring over a discrete time frame which have shared properties or objectives.
>Intrusion Set: A grouped set of activity or infrastructure with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple campaigns that were all tied together by a shared TTPs.
>Threat Actors: The individuals or organizations that are conducting the activity associated with a Campaign or Intrusion Set.
>
>Interested in your thoughts here.
>-G
>
>-----Original Message-----
>From: Jordan, Bret [mailto:bret.jordan@bluecoat.com]
>Sent: Wednesday, May 11, 2016 10:39 PM
>To: Paul Patrick; Katz, Gary CTR DC3/DCCI
>Cc: cti-stix@lists.oasis-open.org
>Subject: [Non-DoD Source] Re: [cti-stix] Results of the Campaign
>Mini-Group
>
>I agree on the Threat Group, it seems like it is just a Threat Actor with a property that has an optional Group_Name.
>
>Gary Katz will need to speak to the Intrusion_Set.
>
>
>
>Thanks,
>
>Bret
>
>
>
>Bret Jordan CISSP
>Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>
>
> On May 11, 2016, at 20:20, Paul Patrick <ppatrick@isightpartners.com> wrote:
>
> Why would need need a Threat Group since a Threat Actor could be an individual or a group. The identity associated with the Threat Actor should contain information about whether its a group or an individual.
>
> With regards to Intrusion_Set, I’d like to better understand how that is nearly identical to Campaign. Can someone provide their definition of an Intrusion_Set?
>
>
> Paul Patrick
>
>
>
> From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
> Date: Wednesday, May 11, 2016 at 9:26 PM
> To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
> Subject: [cti-stix] Re: Results of the Campaign Mini-Group
> Resent-From: <Paul.Patrick@FireEye.com>
>
>
>
>
> The Campaign mini-group also discussed two additional TLOs that the STIX SC might consider.
>
> 1) Threat Group
> My question is, is this really a different TLO, or should we make a property on the Threat Actor TLO that has a Group_Name property. We could then allow Threat Actor TLOs to be related to other Threat Actor TLOs. So Threat_Actor (A) could be a GROUP and Threat_Actor (B) and Threat_Actor (C) could be individuals that are related to the Group (Threat_Actor (A)).
>
> 2) Intrusion_Set
> The idea behind this TLO is that it is nearly identical to the Campaign TLO but is used for relating a collection of Campaigns.
>
>
>
>
>
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>
>
> On May 11, 2016, at 17:26, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:
>
> All,
>
> Please see the following pre-draft document for the initial proposal coming out of the Campaign mini-group..
>
>
> https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF
> 24LvOQAsk/edit#heading=h.bcqwxvu8zvzb
>
> Please add suggestions / comments to the document.
>
>
>
>
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>
>
>
>
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.